Privacy Policy

OpenDQV Cloud is operated by BGMS Consultants Ltd [trading as OpenDQV Cloud], registered in England and Wales. We provide write-time data quality enforcement services for enterprise customers.

For questions about this policy: privacy@opendqv.com

2.1 Account and signup data

When you create a trial account we collect: your name, email address, and company name. We use this to create your account, send you the trial token, and contact you about your trial. Legal basis: contract performance (Article 6(1)(b) GDPR).

2.2 Validation audit events

When you use the API to validate data, we store metadata about each validation: contract name, whether the record was valid, error counts, rule failure names, latency, and timestamp. We do not store the actual data records you validate — validation payloads are processed in memory and never persisted.

Audit events are stored in the cloud cell you selected at signup (AWS eu-west-1, Azure westeurope, or GCP europe-west1). They never leave that region. Legal basis: contract performance (Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR) — audit trails are required for data quality governance.

2.3 Usage and billing data

We count Operational Data Units (ODUs) consumed per tenant. These are aggregate counts only — no validation content is included. ODU totals are processed by our coordinator (Cloudflare Workers) and used for billing.

Payment information is handled entirely by Stripe. We never store card details. We receive a Stripe customer ID and subscription ID to manage your billing relationship.

2.4 Technical logs

We retain application logs (request method, path, status code, latency, IP address) for 30 days for security and debugging purposes. Legal basis: legitimate interests (Article 6(1)(f) GDPR).

Audit events are retained for 12 months by default. You may export your full audit log at any time via the dashboard or the API (GET /api/v1/audit/export) and request deletion (see §5).

Account data is retained for as long as you have an active account plus 30 days after account closure, unless you request earlier deletion.

Application logs: 30 days. Compliance exports (where enabled): 12 months.

• Cloudflare — coordinator (EU edge, ODU aggregation)
• AWS / Microsoft Azure / Google Cloud — cell infrastructure (data stays in region you selected)
• Stripe — payment processing
• Vercel — trial web app hosting

We do not sell your data. We do not share it with third parties for marketing. All processors are bound by GDPR-compliant data processing agreements.

Under UK GDPR and EU GDPR you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data (“right to be forgotten”)
• Portability — receive your data in a machine-readable format
• Restriction — request we stop processing your data
• Objection — object to processing based on legitimate interests

To exercise any right: email privacy@opendqv.com. We respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

If you use OpenDQV Cloud to validate personal data on behalf of your customers or employees, you are the data controller and we are a data processor under Article 28 GDPR. A Data Processing Agreement (DPA) is available on request.

Reminder: validation payloads are not stored. The DPA governs the processing of any personal data present in validation requests, which occurs transiently in memory only.

Data is processed in the EU/UK region you selected at signup. The coordinator (Cloudflare) processes aggregate ODU counts at EU edge nodes only. No validation content is transferred outside your selected region.

The web app uses a secure, HttpOnly session cookie to authenticate your session. This cookie is set by the coordinator and contains only a session identifier — no personal data. It is encrypted in transit (HTTPS only) and cannot be read by JavaScript.

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

We will notify you by email before making material changes to this policy. The “last updated” date at the top of this page records the most recent revision.